How do you use systemd's journalctl patterns

Solution 1:

This was a doc bug that was closed when the typo in the man page was updated.

The bug report led to the following comments in the code:

We don't actually accept patterns, hence don't claim so.

As a workaround, you may be able to use grep as suggested in the comments to your question. Something like this:

journalctl | grep sshd

Solution 2:

The original question titles "How do you use systemd's journalctl patterns". This points to a very specific feature of the journalctl called "MATCHES" rather than a generic regular expression filtering.

The "MATCHES" feature is fully detailed along with all other features at its friendly man page which states at its very beginning:

If one or more match arguments are passed, the output is filtered accordingly.

The "matches" feature is meant to filter the log entries out based upon a number of possible filters.

For cases like the one in the original question, this is how I do (I do run ArchLinux too).

First, you need to know the service name you are interested in. I usually do this:

systemctl | grep sshd

I get this:

sshd.service       loaded active running   OpenSSH Daemon

Then you can ask journalctl to filter by the "systemd unit name" like this:

journalctl _SYSTEMD_UNIT=sshd.service

It's called "the matches filtering". That'd be it.

In case the original question was written instead to mean "how to apply grep to journalctl output", then you can either apply grep to the logs stored "so far" with

journalctl | grep ssh

or look at the currently incoming log entries with

journalctl -f | grep ssh

and hit CTRL-C to stop the flow. Of course, you can use more complex pipes with either finer grained regular patterns or multiple grep commands.